Implementing Top Secret Cleanup: Backing Out Changes Made By Cleanup
search cancel

Implementing Top Secret Cleanup: Backing Out Changes Made By Cleanup

book

Article ID: 55163

calendar_today

Updated On:

Products

Cleanup

Issue/Introduction

How do you undo changes made by Cleanup via the CMDS file?

Resolution

Cleanup report utility AT6#RPT not only generates the TSS commands to remove unused security records, but it can also generate TSS commands to back out the changes. When setting up your Cleanup JCL to remove unused security records, specify the BACKOUT DD statement and the CMDS DD statement in the JCL.

The CMDS DD contains the TSS commands to cleanup unused security records. The BACKOUT DD contains the TSS commands to undo the cleanup of unused security records.

Notes:
1) The CMDS DD
must be present in the JCL for the BACKOUT DD output to be generated. If no BACKOUT DD statement is present, no TSS commands will be generated to undo the changes. It is highly recommended that the BACKOUT DD statement be present anytime old security records are being removed. The TSS commands generated to remove the security records and recover the security records should be kept for future reference.

2) The CFILE DD statement is required when producing command output. The CFILE DD points to an input file containing an unloaded version of the security file. You can create this file using the Top Secret TSSCFILE utility. Ensure that the contents of the CFILE are current. Ensure that the CFILE contains all users and profiles that are included in the current cleanup report request. If these files are not present, a report is produced without the command file output. CFILE statements are optional.

Example:

//DBRPT JOB ACCT,REPORT,CLASS=A,MSGCLASS=X
//*---------------------------------------------
//* REPORT UNREFERENCED ENTRIES OVER 30 DAYS
//*---------------------------------------------
//S1 EXEC PGM=AT6#RPT,REGION=4M,PARM='UNREF=030'
//STEPLIB DD DISP=SHR,DSN=CAI.CAILIB
//DBASE DD DISP=SHR,DSN=CAI.ETCL.DB
//SYSPRINT DD SYSOUT=*
//SUMMARY DD SYSOUT=* Optional output file
//UNLOAD DD SYSOUT=* Optional output file
//*
//* OPTIONAL INPUT FOLLOWS FOR SELECTIVE REPORTING
//*
//INCLUDE DD * ASTRO2 Name any User or Profile MARSPROF Name any User or Profile
//*
//* OTHER OPTIONAL FILES FOLLOW
//*
//CMDS DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0)
//BACKOUT DD SYSOUT=*,DCB=(RECFM=FB,LRECL=80,BLKSIZE=0)
//CFILE DD DISP=SHR,DSN=CAI.CFILE
//*
//SORTWK01 DD UNIT=SYSDA,SPACE=(CYL,5)
//

Additional Information

There are special considerations when unused PROFILEs have been removed and need to be recovered.

  1. PROFILEs removed from an acid.

    When a profile is to be added back based on a monitored user, the TSS commands will be generated with valid ordering criteria taken from the TSSCFILE input list of the user. This will ensure the profile is added back in the proper sequence. If the first profile from the current list needs to be added, it will include the 'FIRST' keyword. All other profiles to be added will include the 'AFTER(xxxxxxxx)' keyword, where 'xxxxxxxx' represents the prior profile from the list.

  2. PROFILEs removed from the security file.

    When a profile is to be added back based on a monitored profile, the TSS commands cannot be generated with ordering criteria, since the TSSCFILE input for a listed profile does not include the order of any attached user's profile list, it only contains the list of attached users. Since the necessary order data cannot be obtained, the REM request will be commented out as follows:

    /*TSS REM(ETCLUR1) PROFILE(ETCLPRFZ)
    /* ADD has no profile order

    Some action must now be taken by the administrator to review the ADD command that corresponds to this REMove command and insert ordering criteria if required, and to remove the comment data from the REMove command to allow it to execute. This should only be a concern if profiles are monitored and users are not monitored. If the users are monitored as described in Step 1, then the research required for Step 2 is minimized.